Dr. Sorot Panichprecha, Managing Director Epiphany Consulting

Dr. Sorot Panichprecha, Managing Director Epiphany Consulting
CISSP, GSEC, GCIH, GPEN, GCIA, GWAPT, GCFE, GCFA, GREM
Website Security
Incident Handling
What to do when you get
hacked?
Outline
❖
Incident Handling Process Overview
❖
Preparation
❖
Detection and Analysis
❖
Containment, Eradication, and Recovery
❖
Post-incident
❖
Conclusion
Event vs Incident
❖
Event is any observable activity in a system or network.
❖
Incident is an event that causes harm or has an intent to
harm.
❖
Depending on the situation and the context.
Event or Incident?
❖
A user open the organisation web site.
❖
A user copies files from an intranet file server at 2 AM.
❖
Someone runs a port scanning on the public web server.
❖
Someone runs a port scanning on the intranet server.
❖
A system administrator posts a question about the
system configuration on a web board.
Not “what if” it is “when”
❖
It is not the matter of “what if” but it is the matter of
“when”.
❖
❖
Eventually everyone will be hacked!
Keep that in mind, and start preparing for the worse.
http://deadline.com/2014/12/sony-hack-timeline-any-pascal-theinterview-north-korea-1201325501/
Incident Handling Process
Preparation
Detection &
Analysis
Containment,
Eradication &
Recovery
Post-Incident
http://dx.doi.org/10.6028/NIST.SP.800-61r2
Outline
❖
Incident Handling Process Overview
❖
Preparation
❖
Detection and Analysis
❖
Containment, Eradication, and Recovery
❖
Post-incident
❖
Conclusion
Preparation
❖
Contact information
❖
Incident reporting mechanisms
❖
Issue tracking system
❖
Encryption software
❖
War room
❖
Secure storage facility
Tools
❖
Digital forensic workstations and software
❖
Backup devices
❖
Laptops
❖
Spare workstations, servers, networking equipment
❖
Blank removable media
❖
Packet sniffers and protocol analysers
❖
Evidence acquisition accessories
Training
❖
Incident handler should receive adequate trainings.
❖
Basic information security.
❖
Security incident handling.
❖
Intrusion detection analysis.
❖
Digital forensic analysis.
❖
Reverse-engineering malware.
http://www.sans.org/security-training/roadmap.pdf
Preventing Incidents
❖
Risk assessments
❖
Host and network security
❖
Malware prevention
❖
User awareness and training
Outline
❖
Incident Handling Process Overview
❖
Preparation
❖
Detection and Analysis
❖
Containment, Eradication, and Recovery
❖
Post-incident
❖
Conclusion
Attack Vectors
❖
External/Removable Media: an attack executed from a
USB disk.
❖
Attrition: DoS attack.
❖
Web: cross-site-scripting attack stealing credentials.
❖
Email: malware attachment.
❖
Impersonation: spoofing, man-in-the-middle.
❖
Improper Usage: user install unauthorised software.
Sign of an Incident
❖
Automatic detection: IDS/IPS alerts, SIEM alerts.
❖
Manual detection: problems report by users.
❖
Precursor: a sign before an actual attack.
❖
Indicator: alerts.
Analysis (1)
❖
An intrusion analysis and validation can be a challenging task.
❖
To make the task easier, you should prepare the following
information:
❖
Network and system profile: expected activities.
❖
Understand normal behaviours.
❖
Create a log retention policy: how long the log should be
stored.
❖
Event correlation: firewall log + application log.
Analysis (2)
❖
Clock synchronisation: make sure your NTP is working
properly.
❖
Run packet sniffers to collect additional data.
❖
Filter the data.
❖
Seek assistance from others.
Documentation
❖
Issue tracking system should
record the following information:
❖
❖
❖
❖
Current status of the incident:
new, in progress, forwarded
for investigation, resolved.
Summary of the incident.
Indicators related to the
incident.
Other incident related to this
incident.
❖
Actions taken by all incident
handlers on this incident.
❖
Chain of custody.
❖
Impact assessments.
❖
Contact information.
❖
List of gathered evidence.
❖
Comments from incident
handlers.
❖
Next steps.
Prioritisation
❖
Functional impact of the incident: how the incident
impacts the functionality of the affected system.
❖
Information impact of the incident: may also impact not
only the organisation’s confidential information, but
also other organisation.
❖
Recoverability from the incident: size and type of
resources.
Incident Notification
❖
Once the incident has been analysed and prioritised, the
team needs to notify related people.
❖
Incident response policy should define whom and when
to inform in which case.
❖
People who should be informed: CIO, head of
information security, system owner, HR (internal
case), CERT.
Outline
❖
Incident Handling Process Overview
❖
Preparation
❖
Detection and Analysis
❖
Containment, Eradication, and Recovery
❖
Post-incident
❖
Conclusion
Containment Strategy
❖
Common strategy: disconnect from the network, shutdown, reinstall, and put the
machine back on.
❖
❖
This strategy may not always work.
Criteria for determining an appropriate strategy:
❖
Potential damage to resources
❖
Need for evidence preservation
❖
Service availability
❖
Time and resources required to implement the strategy
❖
Effectiveness of the strategy
❖
Duration of the solution
Evidence Gathering
❖
Use the digital forensic methodology to acquire the
evidence.
❖
Collect volatile data (RAM) first.
❖
Collect hard disk, USB disk, CD/DVD.
Identifying the Attacking Hosts
❖
Validating the attacking hosts’s IP address.
❖
Researching the attacking host through search engines.
❖
Use incident databases.
❖
Monitor possibly attacker communication channel.
Eradication and Recovery
❖
Eradication: deleting the malware, disable the infected
accounts, fix the vulnerabilities.
❖
Recovery: restore systems to normal operation.
❖
Beware that if the vulnerability still exists, attackers
will attack again.
Outline
❖
Incident Handling Process Overview
❖
Preparation
❖
Detection and Analysis
❖
Containment, Eradication, and Recovery
❖
Post-incident
❖
Conclusion
Lesson Learned
❖
What happened? When? How?
❖
How well did everyone perform?
❖
What information should have been available sooner?
❖
What can be done differently?
❖
What corrective actions should be implemented to prevent
similar incidents in the future?
❖
What precursors and indicators should have been monitored?
❖
What additional tools are needed?
Evidence Retention
❖
How long should we keep the evidence?
❖
❖
Prosecution: may take several years.
Data retention: 3 - 6 months
Outline
❖
Incident Handling Process Overview
❖
Preparation
❖
Detection and Analysis
❖
Containment, Eradication, and Recovery
❖
Post-incident
❖
Conclusion
Conclusion
❖
You will be hacked! So be prepared.
❖
Incident handling process
❖
Preparation
❖
Detection and analysis
❖
Containment, eradication, and recovery
❖
Post-incident
Website Security Standard (ขมธอ.1-2557)
1. ปิดการเชื่อมต่อของเว็บไซต์
2. สำเนาข้อมูลต่าง ๆ ที่เกี่ยวข้องกับการถูกบุกรุกเพื่อนำมาใช้ในการวิเคราะห์
3. ตรวจสอบช่องทางการโจมตีและช่องโหว่ของเว็บไซต์ด้วยข้อมูลที่สำเนามา
4. ระหว่างการตรวจสอบจัดสร้างเว็บเพจแบบ Static ขึ้นมาทดแทนเป็นการชั่วคราว
เพื่อชี้แจงสถานการณ์การปิดปรับปรุง
5. กู้คืนโปรแกรมที่เกี่ยวข้อง ข้อมูลเว็บ และฐานข้อมูลที่เกี่ยวข้องกับเว็บไซต์เป็น
เวอร์ชั่นก่อนหน้าที่จะถูกโจมตี
6. ตรวจสอบช่องโหว่ของเว็บไซต์ แก้ไขช่องโหว่ของเว็บไซต์
7. บันทึกเหตุการณ์และขั้นตอนการดำเนินการที่เกิดขึ้นทั้งหมด
Thank You
Dr. Sorot Panichprecha
sorot@epiphany-consulting.net
@sorotpan
EPIPHANY
CONSULTING